System of systems information assurance policy: a call for reform

Today's Department of Defense (DoD) system of system (SoS) programme managers, engineers, and practitioners face significant information assurance (IA) challenges related to the interoperability of their SoS. An IA threat to one system has varying degrees of risk to all the interconnected systems within an enclave or similarly labelled SoS. While current IA policies do address interconnection weaknesses and stipulate that the system with the highest amount of vulnerabilities will be accounted for, current policies, procedures and methods fall short in guidance on how to address the weaknesses beyond the first 1:1 interface in a SoS. The purpose of this paper is to define SoS and to analyse both the fundamental concepts and the latest publications regarding SoS IA policies, procedures and methods. The overall goal is to establish a framework from which the DoD can begin to address the policy reform required to mitigate IA vulnerabilities in modern SoS.